Advanced CIA firmware has been infecting Wi-Fi routers for years

Home routers from 10 manufacturers, including Linksys, DLink, and Belkin, can be turned into covert listening posts that allow the Central Intelligence Agency to monitor and manipulate incoming and outgoing traffic and infect connected devices. That's according to secret documents posted Thursday by WikiLeaks.

CherryBlossom, as the implant is code-named, can be especially effective against targets using some D-Link-made DIR-130 and Linksys-manufactured WRT300N models because they can be remotely infected even when they use a strong administrative password. An exploit code-named Tomato can extract their passwords as long as a default feature known as universal plug and play remains on. Routers that are protected by a default or easily-guessed administrative password are, of course, trivial to infect. In all, documents say CherryBlossom runs on 25 router models, although it's likely modifications would allow the implant to run on at least 100 more.

The 175-page CherryBlossom user guide describes a Linux-based operating system that can run on a broad range of routers. Once installed, CherryBlossom turns the device into a "FlyTrap" that beacons a CIA-controlled server known as a "CherryTree." The beacon includes device status and security information that the CherryTree logs to a database. In response, the CherryTree sends the infected device a "Mission" consisting of specific tasks tailored to the target. CIA operators can use a "CherryWeb" browser-based user interface to view Flytrap status and security information, plan new missions, view mission-related data, and perform system administration tasks.

Missions can target connected users based on IPs, e-mail addresses, MAC addresses, chat user names, and VoIP numbers. Mission tasks can include copying all or only some of the traffic; copying e-mail addresses, chat user names, and VoIP numbers; invoking a feature known as "Windex," which redirects a user's browser that attempts to perform a drive-by malware attack; establishing a virtual private network connection that gives access to the local area network; and the proxying of all network connections.

All the communications between the FlyTrap and the CIA-controlled CherryTree, with the exception of copied network data, is encrypted and cryptographically authenticated. For extra stealth, the encrypted data masquerades as a browser cookie in an HTTP GET request for an image file. The CherryTree server then responds to the request with a corresponding binary image file.

A decade of hacking routers

Further Reading

In many respects, CherryBlossom isn't much different from DNSChanger and other types of router malware that have infected hundreds of thousands of devices over the past few years. What sets the CIA implant apart the most is its full suite of features, including its user interface, command-server support, and a long list of mission tasks. Also significant: the documents date back to 2007, when router hacking was less developed than it is now.

CherryBlossom is the latest release in WikiLeaks Vault7 series, which the site purports was made possible when the "CIA lost control of the majority of its hacking arsenal." CIA officials have declined to confirm or deny the authenticity of the documents, but based on the number of pages and unique details exposed in the series, there is broad consensus among researchers that the documents are actual CIA materials.

What's more, researchers from security firm Symantec have definitively linked at least one Vault7 release to an advanced hacking operation that has been penetrating governments and private industries around the world for years. While WikiLeaks said Vault7 was intended to "initiate a public debate about the security, creation, use, proliferation, and democratic control of cyberweapons," little or nothing published to date has shown the CIA running afoul of its legal mandate.

Further Reading

Like the other Vault7 releases, Thursday's installment doesn't include the source code or binaries that would allow other hacker groups to appropriate the CIA's router-hijacking capabilities. That makes the leaks significantly less damaging than those by the Shadow Brokers, the name used by a still-unknown group that has been published advanced hacking tools developed by and later stolen from the National Security Agency. April's release of an NSA-developed tool codenamed EternalBlue resulted in the WCry outbreak that infected an estimated 727,000 computers in 90 countries.

Thursday's Vault7 release does, however, provide so-called indicators of compromise that targets can use to determine if they were hacked. As pointed out by a researcher who tweets under the handle Xorz, it may allow people to identify CIA-controlled CherryTree servers, since they all seem to use the word "CherryWeb" in their default URLs.

A general defense more technically inclined users can take against router-based malware that monitors and tampers with Internet traffic is to put the router in question into passive mode and connect it to network hub and a trusted router. This allows the person to see all traffic going into and out of the network.

Promoted Comments

I found the use of Tomato interesting, considering TomatoRouter is a Linux-based router OS replacement.

These names are randomly selected from a list of names generated for specific types of targets. This is why the names share a similar type, but the specific name is chosen at random from a much longer list.

So, presumably, those of us running custom router firmware (tomato, dd-wrt) don't need to worry? Or should I turn UPNP off anyway?

You should always disable UPnP on any router, IMO, unless you have a very good reason not to do so. Generally speaking, anything that allows a device to automatically adjust settings is a horrible security vulnerability waiting to happen. With how critical a router is to overall security of a network, it's a no-brainer to kill as much as possible.

The only reason to have UPnP at all is so novices can use advanced features such as routing external traffic to a specific device without the need to tinker in the settings. If you're capable of installing custom firmware on the device, you're more than capable to set those things up yourself.

The CIA's focus is external intelligence. The 4th Amendment does not apply beyond the borders of the US. Barring it being a US citizen or national, of course, and I don't believe anyone has shown they routinely target those.

Not that the surveillance state is an entirely positive thing, mind you. I think we need much better controls on the various agencies. That does not, however, justify knee jerk reactions which aren't even accurate. All that sort of lazy argument does is give those who disagree an easy out.

Sometimes I think of Ars as a Moot and I'm cool with that but at least leave obtuse in the grass.

It's not a matter of 'cause they do it I can do it'. Rather it's 'cause they do it I have to do it'. We don't have much to fear from the UK, Canada, Australia and New Zealand. We have a lot to fear from Russia, North Korea, and various other counties. If we don't engage in these activities then we will be at a disadvantage because those countries will continue. We've been lucky that the Five Eyes are willing to work together both politically and economically. The rest of the world is not so accommodating.

As a reminder, folks, the CIA gets its orders directly from the executive branch. That means Bush's administration gave the order to create numerous backdoors, and the Obama administration continued to keep it under wraps.

As a reminder, folks, the CIA gets its orders directly from the executive branch. That means Bush's administration gave the order to create numerous backdoors, and the Obama administration continued to keep it under wraps.

You can't trust either party.

OR, if you don't happen to live in the USA, the USA is no less a risk than China for spyware, malware, state sponsored hacking, etc.

As a reminder, folks, the CIA gets its orders directly from the executive branch. That means Bush's administration gave the order to create numerous backdoors, and the Obama administration continued to keep it under wraps.

You can't trust either party.

I would be quite disappointed if our intelligence agencies couldn't hack routers.

I found the use of Tomato interesting, considering TomatoRouter is a Linux-based router OS replacement.

These names are randomly selected from a list of names generated for specific types of targets. This is why the names share a similar type, but the specific name is chosen at random from a much longer list.

So, presumably, those of us running custom router firmware (tomato, dd-wrt) don't need to worry? Or should I turn UPNP off anyway?

You should always disable UPnP on any router, IMO, unless you have a very good reason not to do so. Generally speaking, anything that allows a device to automatically adjust settings is a horrible security vulnerability waiting to happen. With how critical a router is to overall security of a network, it's a no-brainer to kill as much as possible.

The only reason to have UPnP at all is so novices can use advanced features such as routing external traffic to a specific device without the need to tinker in the settings. If you're capable of installing custom firmware on the device, you're more than capable to set those things up yourself.

As a non-US citizen I'd like to remind you that the CIA is guilty of espionage by doing this under my country's laws.

Of course as one of the closest allies and 'friends' of the USA our government has never done anything to even since we discovered in the 1970s* that the CIA tried to engineer a coup against the democratically elected government because they show a tiny amount of independence from the US. And this is Australia I'm talking of, not some South American republic or similar.

The CIA's focus is external intelligence. The 4th Amendment does not apply beyond the borders of the US. Barring it being a US citizen or national, of course, and I don't believe anyone has shown they routinely target those.

Not that the surveillance state is an entirely positive thing, mind you. I think we need much better controls on the various agencies. That does not, however, justify knee jerk reactions which aren't even accurate. All that sort of lazy argument does is give those who disagree an easy out.

As a non-US citizen I'd like to remind you that the CIA is guilty of espionage by doing this under my country's laws.

Of course as one of the closest allies and 'friends' of the USA our government has never done anything to even since we discovered in the 1970s* that the CIA tried to engineer a coup against the democratically elected government because they show a tiny amount of independence from the US. And this is Australia I'm talking of, not some South American republic or similar.

Isn't Australia a member of the Five Eyes group? I'd imagine there's some agreement between the parties which circumvents those laws. Not that this is right, mind you, but it means the laws you're speaking of may be inapplicable due to your own government's actions.

You apparently haven't tried getting an actual network hub in the last 5 years have you?? - Network hubs are no longer in production. You have to buy a managed switch and use the port mirroring (also known as SPAN (Switched Port ANalyzer)) in order to capture your network traffic.

I just use Sophos UTM9 running on an old computer I had laying around, it functions as an IPS/IDS, Router, Firewall, Proxy, AV Manager, and a bunch of other features I'm forgetting plus it's free for home users. Nothing like using an enterprise grade unified threat manager on your home network

As a reminder, folks, the CIA gets its orders directly from the executive branch. That means Bush's administration gave the order to create numerous backdoors, and the Obama administration continued to keep it under wraps.

You can't trust either party.

OR, if you don't happen to live in the USA, the USA is no less a risk than China for spyware, malware, state sponsored hacking, etc.

Let's be honest: these admittedly hostile actions are in the national interest of both countries. If your country's spies aren't doing the same, then you ought to seriously reconsider how your taxes are being used.

As a reminder, folks, the CIA gets its orders directly from the executive branch. That means Bush's administration gave the order to create numerous backdoors, and the Obama administration continued to keep it under wraps.

You can't trust either party.

OR, if you don't happen to live in the USA, the USA is no less a risk than China for spyware, malware, state sponsored hacking, etc.

If your country's spies aren't doing the same, then you ought to seriously reconsider how your taxes are being used.

As a reminder, folks, the CIA gets its orders directly from the executive branch. That means Bush's administration gave the order to create numerous backdoors, and the Obama administration continued to keep it under wraps.

You can't trust either party.

OR, if you don't happen to live in the USA, the USA is no less a risk than China for spyware, malware, state sponsored hacking, etc.

If your country's spies aren't doing the same, then you ought to seriously reconsider how your taxes are being used.

That logic is so fucked...

...It is honest but still fucked.

why? it's literally what spying is... if the US decides to stop trying to spy on foreign adversaries then i'd say we're "fucked" as you so eloquently put it.

We use a lot of D-Link ADSL Modems (mostly DSL-526B's). Most of them are in bridging mode, but some run PPPoE and this have an internet routable IP Address. The ones running PPPoE crash a lot - or at least stop working. A software reboot fixes it. The first thing that springs to mind is they have been exploited.

But if that's true I don't know how. I've disabled all internet facing IP Addresses. By "Disabled All", I mean I've nmap'ed the thing and tested every open port, both TCP and UDP. Yet it still happens.

Every time ARS has a article like this, it seems the picture is of a D-Link device. It is never one I use, but till it gives me the willies.

Nah, they know full well why that's the case, but they view their actions as a necessary evil. People who have no idea what the CIA's / NSA's methods entail and/or people who view America as having an inalienable right to do as it pleases to anyone and everyone are the ones who potentially wonder that.

The CIA is doing what the CIA should be doing, but the US desperately needs a counterintelligence agency for the digital age. I would say that the FBI should be that agency, as in terms of traditional espionage, they work to track and apprehend spies, as well as coordinating with private firms that may be under attack, however they hoard vulnerabilities just like the CIA and NSA. We need an agency with a purely defensive mandate that both finds, helps fix, and takes a hard line with corporations that don't patch/recall vulnerable devices.

As a reminder, folks, the CIA gets its orders directly from the executive branch. That means Bush's administration gave the order to create numerous backdoors, and the Obama administration continued to keep it under wraps.

You can't trust either party.

If this is news to you, then you are hopelessly naive. XD

One of the best documentaries Frontline has ever produced is The United States of Secrets. It makes Laura Poitras' "CitizenFour" look like a silly Lifetime movie, and Oliver Stone's "Snowden" appear even less legitimate than a Christopher Guest mockumentary. (In other words, if you haven't seen it, check it out.)

As a reminder, folks, the CIA gets its orders directly from the executive branch. That means Bush's administration gave the order to create numerous backdoors, and the Obama administration continued to keep it under wraps.

You can't trust either party.

OR, if you don't happen to live in the USA, the USA is no less a risk than China for spyware, malware, state sponsored hacking, etc.

If your country's spies aren't doing the same, then you ought to seriously reconsider how your taxes are being used.

That logic is so fucked...

...It is honest but still fucked.

why? it's literally what spying is... if the US decides to stop trying to spy on foreign adversaries then i'd say we're "fucked" as you so eloquently put it.

'cause they do it I can do it' is fucked up.

It may be pragmatic but it is fucked.

"Virginia has slaves, Kentucky must have slaves too".

I mean, it is pragmatic...

Sometimes I think of Ars as a Moot and I'm cool with that but at least leave obtuse in the grass.

The CIA's focus is external intelligence. The 4th Amendment does not apply beyond the borders of the US. Barring it being a US citizen or national, of course, and I don't believe anyone has shown they routinely target those.

Not that the surveillance state is an entirely positive thing, mind you. I think we need much better controls on the various agencies. That does not, however, justify knee jerk reactions which aren't even accurate. All that sort of lazy argument does is give those who disagree an easy out.

Unfortunately even the "good guys" haven't felt that the 4th Amendment applies inside the United States.

Quote:

According to a blockbuster report from Circa.com, a Federal Intellience Surveillance Act court has now found that the Obama administration violated its own guidelines when it radically expanded internet searches focused on American citizens in contravention of law.

According to the court:

Since 2011, NSA’s minimization procedures have prohibited use of U.S.-person identifiers to query the results of upstream Internet collections under Section 702. The Oct. 26, 2016 notice informed the court that NSA analysts had been conducting such queries in violation of that prohibition, with much greater frequency than had been previously disclosed to the Court.

What does this mean in plain language? It means that the Obama administration increased the number of searches involving Americans by a factor of three, and unmasked far more Americans than before 2011. Circa quotes the ACLU as stating that these are “some of the most serious [violations] to ever be documented and strongly call into question the US intelligence community’s ability to police itself.”

As a reminder, folks, the CIA gets its orders directly from the executive branch. That means Bush's administration gave the order to create numerous backdoors, and the Obama administration continued to keep it under wraps.

You can't trust either party.

I would be quite disappointed if our intelligence agencies couldn't hack routers.

Perhaps, but those agencies are more interested in controlling you than they are in protecting you.

As a reminder, folks, the CIA gets its orders directly from the executive branch. That means Bush's administration gave the order to create numerous backdoors, and the Obama administration continued to keep it under wraps.

You can't trust either party.

OR, if you don't happen to live in the USA, the USA is no less a risk than China for spyware, malware, state sponsored hacking, etc.

If your country's spies aren't doing the same, then you ought to seriously reconsider how your taxes are being used.

That logic is so fucked...

...It is honest but still fucked.

why? it's literally what spying is... if the US decides to stop trying to spy on foreign adversaries then i'd say we're "fucked" as you so eloquently put it.

'cause they do it I can do it' is fucked up.

It may be pragmatic but it is fucked.

"Virginia has slaves, Kentucky must have slaves too".

I mean, it is pragmatic...

Sometimes I think of Ars as a Moot and I'm cool with that but at least leave obtuse in the grass.

Comparing US intelligence services spying on foreign countries to slavery has to be the dumbest comparison I've ever seen.

Sometimes I think of Ars as a Moot and I'm cool with that but at least leave obtuse in the grass.

It's not a matter of 'cause they do it I can do it'. Rather it's 'cause they do it I have to do it'. We don't have much to fear from the UK, Canada, Australia and New Zealand. We have a lot to fear from Russia, North Korea, and various other counties. If we don't engage in these activities then we will be at a disadvantage because those countries will continue. We've been lucky that the Five Eyes are willing to work together both politically and economically. The rest of the world is not so accommodating.